ISPs blocking SMTP connections from dynamic IP address space

[Mark]

----- Original Message ----- 
From: "Lucas Holt" <luke at foolishgames.com>
To: "Doug Poland" <doug at polands.org>
Cc: "Nicole" <nicole at daemontech.com>; <questions at freebsd.org>
Sent: Wednesday, August 06, 2003 10:24 PM
Subject: Re: ISPs blocking SMTP connections from dynamic IP address space

> You guys need to rethink this thing. Reverse DNS checks are ok, but
> ip blocking for legitimate servers is silly.

I agree. You guys really need to rethink this. My turn to vent. :)

For starters, what is "dynamic IP address space" anyway? You would think
dialup-accounts or, at the very least, accounts that get their IP address
assigned from a dynamic IP address pool. Yet, reading this thread, "dynamic
IP address space" basically seems to mean: everyone who is not a major ISP.
There are many things wrong with that simplistic reasoning.

For one, just because whois.arin.net says a netblock is a "dynamic" address
pool, does not mean IP addresses assigned to customers are, de facto,
dynamic. In fact, especially with high-speed DSL accounts, ere the opposite
is true: people get assigned what to them, and to the world at large, for
all purposes and intent, is a static IP address. In exchange for money,
their ISP has grants them the exclusive use of a fixed IP address. They
register domain names on that IP address, and continue to use that one,
unchanging IP address for all interactions with the world. Literally
thousands of legitimate servers across the world run on such a (set of)
static IP address(es), regardless of what their netblock, high up in the
ARIN, or kindred, hierarchy is marked down as.

When you force all people to use their ISP's smtp server(s), you funnel, as
it were, a great number of clients through a single pinhole. Should that one
pinhole become blacklisted/blocked, then suddenly thousands of people, en
masse, can no longer send mail. Is that likely to occur? Yes. Because spam
will also be sent through that same pinhole. AOL will likely cancel the
account of the spammer; but spam will nonetheless have been sent through
that one pinhole. And then what? Then you are faced with an uncomfortable
choice: either I block the AOL smtp servers altogether, or I let them
through entirely. What you have lost then, in effect, is the ability to
discriminate. So, what then? You will whitelist the AOL smtp servers? That
would be stupid. :) Because if there is only one pinhole, whitelisting that
one pinhole is tantamount to giving all spammers a huge "passpartout". And
since, by your own act of narrow-sightedness, you have chosen to only deal
with that one pinhole, you can no longer tell chaff from grain. Way to go,
Einstein!

Perhaps the greatest fallacy of em all: the ludicrous assumption that large
ISP's do not spam. :) The largest sources of spam, their hypocrisy despite,
are precisely those big ISP's, like AOL and hotmail, to whom you can write
until you see blue in the face, but who do not give a damn, because they are
big and know it.

Do not be lazy; because you are. :) I know, I have been tempted too, many
times, to just block hotmail altogether, and so reduce 70% of all spam. Yet,
that would be laziness, really. Taking the easy route, like blocking all
what you think is "dynamic" address space, is really just laziness on your
part. It is you saying: "I can no longer be bothered to figure out who is
legit and who is not, so I will just block everything." That is bad
administration. Crying, "But SOMETHING needs to be done about spam,
therefore I am right," is not a valid argument either. :) Sure, SOMETHING
needs to be done about spam. But blocking thousands of legitimate servers
across the world, just because you are lazy, is not the solution. Be
meticulous in who you block, and be specific.

Simply configuring your mail server to use your ISP's smtp as smarthost, and
relay all outgoing email trough them, is not as transparent and benign a
solution as suggested. You lose control over the way mail is being
delivered/bounced, for instance. All of a sudden your clients get
bounce-messages from the postmaster of your ISP, instead of from you
directly -- with all the ensuing confusion to boot. Can the freebsd.org
people look me in the eye, and really say they would not mind having AOL
deliver their mail for them, as smarthost? Honestly, nobody likes to be "in
ward" like that. It is as if your ISP would tell you, one day, that you can
no longer provide an IHAVE newsfeed, but have to use their news server's
POST command. Yeah, right. :) I have yet to encounter an administrator who
would not mind yielding to such condescension.

The main purpose of a mail exchanger is to exchange mail. :) Perhaps the
focus on spam has caused it, but many people look on this backwards: as the
administrator of your mail facility, your primary task is NOT to block
illegitimate mail, but to facilitate the flux of legitimate mail. If you can
do the former, kudos to you; but if you do it at great expense of the
latter, then you should not be commended. What is that, you say? Omelets and
breaking a few eggs? Sabotaging large parts of the Internet does not an
omelet make; in fact, you will only have done precisely that: broken things.

You guys really need to rethink this.

- Mark